A government research company estimates that about a third of the Defense Department's $4 billion request for spending on IT security is included in general spending on various departmental programs and not coded specifically as spent on information systems security, making it difficult to track the Pentagon's total cybersecurity spending, according to a report released on Monday.
More than $1 billion of Defense's IT security budget is embedded in106 information technology programs and not specifically identified in the department's fiscal 2009 IT security budget request, according to a report issued by Government Insights, an IDC company that focuses on the federal IT market.
Of the more than 2,000 line items in Defense's fiscal 2009 IT budget request, 52 are coded specifically for information systems security, totaling $2.9 billion, the report noted. Funding for the highly confidential Comprehensive National Cybersecurity Initiative, which the Bush administration began putting together in 2007, is likely contained in one or more of the programs, because there is no separate line in the budget for the initiative, the report concluded.
In addition, the research firm estimated that another $2 billion of information security spending in the intelligence community was not accounted for in the total IT security budget request.
"A significant part probably goes to defense intelligence and intelligence-related 'black' programs, whose funding and even existence is often not revealed but are hidden in other programs," according to Mark Kagan, author of the report.
Government Insights estimated that the total fiscal 2009 IT budget for the intelligence community is nearly $20 billion, with about 85 percent controlled by Defense. If 10 percent of the budget is earmarked for IT security, which the report calls a conservative estimate, that means an additional $1.7 billion of IT security funds will be allocated to the department in 2009.
Defense's $4 billion IT security budget accounts for about 13 percent of its total fiscal 2009 IT budget request of $33 billion, according to the report.
Cybersecurity programs that are specifically identified in the budget combine departmentwide efforts into one catch-all initiative, such as information protection and assurance, and computer network defense. Defense and the services might have combined multiple programs into one budget line item to reduce the workload associated with preparing the annual Exhibit 53 documents agencies must submit to the Office of Management and Budget, and to reduce the risk of revealing sensitive information about IT security operations, threats and vulnerabilities, according to the report.
"Transparency, in this case, may not be a good thing," Kagan wrote. He added, however, that the appropriate amount of information to release "may sometimes be in the eye of the beholder," since equally sensitive defense programs often reveal varying degrees of information.
Ray Bjorklund, senior vice president of FedSources, a McLean, Va., consulting firm, defended the budget method. "It's very challenging to precisely account for spending on capabilities that are supposed to be designed into every facet of the system," he said.
Alan Paller, director of research at the SANS Institute, a cybersecurity research and education group based in Bethesda, Md., said the decision to keep specifics about security spending and programs confidential protects the federal government from global threats that could use that information to exploit vulnerabilities.
"I don't think in any way DoD should illuminate for the world what the security programs are," he said. "Companies should bring their capabilities in and then get invited to the table to learn more about where they might fit in. But don't wait for government to say, 'Here are the seven information security efforts we're doing. How can you contribute?' "
Bjorklund said: "Enhanced transparency would be welcome, but, in most cases, national security trumps transparency."